Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I run a web site dedicated to the local music scene. As such, I host my own videos via the free Darwin Streaming Media server. I ran out of space on my old server, so I rsynched all the files to a new server with a newer version of Fedora Core. Everything is set up fine. I copied my iptables rules over to the new server. But now there is a problem with some new security feature I've never had to deal with before called SELinux.
There was a thread on FedoraForum that explains how to use audit2allow -i /var/log/messages -l to scan /var/log/messages and automatically display the text of a rule that I need to import somehow into SELinux as a rule.
Anyone know what to do to get SELinux to import this rule:
Code:
allow unconfined_t sbin_t:file execmod;
And is that a rule I should import?
here is the orignal message log
Code:
Feb 4 12:30:48 marshal kernel: audit(1170610248.995:10): avc: denied { execmod } for pid=13137 comm="DarwinStreaming" name="QTSSHomeDirectoryModule" dev=dm-0 ino=786456 scontext=user_u:system_r:unconfined_t:s0 tcontext=root:object_r:sbin_t:s0 tclass=file
Feb 4 12:30:49 marshal kernel: audit(1170610249.000:11): avc: denied { execmod } for pid=13137 comm="DarwinStreaming" name="QTSSRefMovieModule" dev=dm-0 ino=786457 scontext=user_u:system_r:unconfined_t:s0 tcontext=root:object_r:sbin_t:s0 tclass=file
Here is the url of the Fedora Forum thread (this bbs won't let me add it to this post because it is my first post) fedoraforum.org/forum/showthread.php?t=31205
For audit2allow you need to:
1. install the selinux-policy-$POLICYTYPE-sources,
2. run "cat /var/log/messages | audit2allow > /etc/selinux/$POLICYTYPE/src/policy/domains/misc/custom.te",
3. "make -C /etc/selinux/$POLICYTYPE/src/policy load".
[font size = fsckin humonguous]Note on RHEL5 / FC6 there are no more selinux-policy-$POLICYTYPE-sources, so instead you:
1. "audit2allow -M custom < /var/log/audit/audit.log",
2. "semodule -i custom.pp".
Last edited by unSpawn; 02-05-2007 at 11:54 AM.
Reason: //clarification n such
Thanks for trying to help me out, but right off the bat, I can tell you that I have no /var/log/audit directory on my system. I am fairly sure I am running FC5.
I did find a config file for selinux in my etc file.
Code:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
For audit2allow you need to:
1. install the selinux-policy-$POLICYTYPE-sources,
2. run "cat /var/log/messages | audit2allow > /etc/selinux/$POLICYTYPE/src/policy/domains/misc/custom.te",
3. "make -C /etc/selinux/$POLICYTYPE/src/policy load".
Note on RHEL5 / FC6 there are no more selinux-policy-$POLICYTYPE-sources, so instead you:
1. "audit2allow -M custom < /var/log/audit/audit.log",
2. "semodule -i custom.pp".
OK, I gather from your instructions that since I am using Fedora Core 5, I don't have to install the selinux-policy-$POLICYTYPE-sources. So instead I need to ...
1. "audit2allow -M custom < /var/log/audit/audit.log",
2. "semodule -i custom.pp".[/QUOTE]
Ok. I'll try step one. Here is what I get.
Code:
# audit2allow -M custom < /var/log/audit/audit.log
-bash: /var/log/audit/audit.log: No such file or directory
I don't have any audit directory in my /var/log directory. Did you get the redirection wrong or something?
OK, I gather from your instructions that since I am using Fedora Core 5, I don't have to install the selinux-policy-$POLICYTYPE-sources.
I read that exactly the other way around. Because you don't run FC6 you'll have to install... etc, etc.
[QUOTE=unSpawn]For audit2allow you need to:
1. install the selinux-policy-$POLICYTYPE-sources,
2. run "cat /var/log/messages | audit2allow > /etc/selinux/$POLICYTYPE/src/policy/domains/misc/custom.te",
3. "make -C /etc/selinux/$POLICYTYPE/src/policy load".
Ahhh Ha! Ok. So how do I do step one. When I echo the global variable $POLICYTYPE it returns a blank.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.